m 



U 



X 



A New Access Control Scheme for 
Facebook-style Social Networks 

Jun Pang and Yang Zhang 

Faculty of Science, Technology and Communication, University of Luxembourg, 

6 rue Richard Coudenhove-Kalergi, L-1359 Luxembourg 

j un . pangOuni . lu , y ang . zhang@uni . lu 



o 

rsj Abstract. The popularity of online social networks makes the protec- 

, , tion of users' private information an important but scientifically challeng- 

ed) , ing problem. In the literature, relationship-based access control schemes 

^H have been proposed to address this problem. However, with the dynamic 

developments of social networks, we identify new access control require- 
CTN ments which cannot be fully captured by the current schemes. In this 

paper, we focus on public information in social networks and treat it as 
a new dimension which users can use to regulate access to their resources. 
We define a new social network model containing users and their rela- 
tionships as well as public information. Based on the model, we introduce 
CZ3 a variant of hybrid logic for formulating access control policies. In addi- 

O tion, we exploit a type of category relations among public information 

to further improve our logic for its usage in practice. 



1 Introduction 



> 

o 

l/"~) Online social networks are among the most popular web services during the 

past five years and have attracted a huge amount of users all over the world. 
■^- For example, Facebook, the leading social network service, has more than one 

^^ billion active users [j Nowadays, online social networks, exemplified by Facebook, 

Twitter and Linkcdln, are playing a great role in our daily life. They provide 
. . a platform for users to present themselves, articulate their social circles, make 

new friends, and more importantly, to interact with each other. 

With the large amount of data maintained in social network websites, privacy 
$Jj concerning users' personal information inevitably becomes an important but sci- 

entifically challenging problem. Access control schemes are naturally introduced 
to protect users' privacy in social networks. They can be used to guarantee that 
resources are accessible by the intended users, but not by other (possibly mali- 
cious) users. Typically, users can control the access on their own information or 
resources with access control schemes supplied by the social networks. Currently, 
the existing schemes, including the ones proposed by our research community, 
are mainly relationship-based, i.e., whether the requester is able to access the 
information/resource depends on the relationship between him and the owner, 
such as friends, friends of friends, etc. 



1 http://newsroom.fb.com/ 



Due to their own nature and the development of ICT techniques, social net- 
works admit quick and dynamic evolutions. Many new services and methods for 
user interaction have emerged. For instance, users can play games with their 
friends and find people who share similar interests. More recently, with the in- 
creased popularity of GPS-enabled mobile devices, social networks have evolved 
into geo-social networks, which support location-based services - users can then 
tag posts and photos with their geographical locations, find nearby friends and 
post check-in of some places to share their comments. In Sect. [3j we take Face- 
book as a typical example and discuss its developments in the past few years. 

With these evolutions, more information and activities of users are made 
available in social networks. As a result, new access control schemes are needed 
to capture these fast developments. Let us illustrate this need by a few access 
control scenarios in social networks. For example, Alice is a fan of the French 
novelist Victor Hugo, and she has read an article about him and wants to share 
it in the social network. She intends to only grant the access to this article 
to her friends who have ever read some of Hugo's literary works. In another 
scenario, Bob is a city traveler, he owns an album that contains photos he took 
in different cities. He wishes to share this album with users who used to visit a 
same city as he did. In the third example, Charlie attended a party organized 
by a rival company of his employer. He published a status about this party and 
wants no one but his friends who work at this rival company to view it. In 
relationship-based access control schemes, a resource owner cannot exploit any 
other information but user relationships between him and the requester when 
defining policy. Therefore, the above access control requirements cannot be fully 
and precisely formulated in the current schemes supported by social networks or 
those proposed in the literature. 

In order to solve the identified problems, we propose a new access control 
scheme for online social networks. We focus on public information existing, e.g., 
in Facebook (Sect. [3]), and show that it can be used to group users based on their 
common interests and activities. Public information can thus be considered as 
a new dimension for users to regulate access to their resources. As a consequence, 
we propose a new social network model containing both a user graph and a public 
information graph (Sect. El). We then develop a hybrid logic to express this type of 
access control policies (Sect. [5]). The expressiveness of our access control scheme 
is extensively discussed through a number of real-life scenarios (Sect. [6]). In the 
end, we identify a special semantic relation, i.e., category relation, among public 
information, which allows us to express a certain type of policies in a concise 
way (Sect. uh. After the introduction, we give a brief overview of related work 
in Sect.[2j Sect. [8] compares our access control scheme with existing schemes in 
the literature. We conclude our paper with some future work in Sect.[9j 

2 Related Work 

Relationship-based access control, driven by social networks, was first advocated 
in p], and is defined as an access control paradigm that is based on interper- 



sonal relationships. Carminati et al. proposed the first relationship-based access 
control model in [2J , where the relationships between the qualified requester and 
the owner are interpreted into three aspects, i.e., relationship type, depth and 
trust level. In [5] , the authors used semantic web technology including OWL and 
SWRL to extend the model of [2J. Moreover, they proposed administrative and 
filtering policies which can be used for collaborative and supervising access con- 
trol, respectively. Security protocols based on collaboration of users for access 
control enforcement were developed in [41516) . 

Fong et al. proposed an access control scheme for Facebook-style social net- 
works [7 , in which they model the access control procedure as two stages. In 
the first stage, the requester has to find the owner of the target resource; then 
in the second one, the owner decides whether the authorization is granted or 
not. Their access control policies are mainly based on the relationships between 
the requester and the owner. Moreover, they proposed several meaningful ac- 
cess control policies based on the graph structure of social networks, such as 
n-common friends and clique. In [5], Fong introduced a modal logic to define 
access control policies for social networks. Later Fong and Siahaan [9 improved 
the previously proposed logic to further support policies like n-common friends 
and clique. In [10] , the authors adopted a hybrid logic to describe policies which 
eliminates an exponential penalty in expressing complex relationships such as 
n-common friends. A visualization tool for evaluating the effect of the access con- 
trol configurations is designed in [llj . with which a user can check what other 
users within a certain distance to him can view his resources. 

Cheng et al. proposed a rich social network model in [12] . In their work, not 
only users but also resources are treated as entities and actions performed by 
users are considered as relationships in social networks. As more information are 
incorporated in their model, many new access control policies can be expressed 
(more details can be found in Sect.pl). Their model supports administrative and 
filtering policies as proposed in [3] as well. 

As a shared platform, resources in social networks may be co-owned by a num- 
ber of users. Thus, collaborative access control also plays an essential role in pro- 
tecting privacy. A game theoretical method based on the Clarke- Tax mechanism 
for collective privacy management was proposed by Siquicciarini et al. [13] . Sun 
et al. proposed a different approach combining trust relations in social networks 
and preferential voting schemes [14]. Ahn et al. introduced a multiparty access 
control model in |15j . In addition, they developed a policy specification scheme 
and a voting based conflict resolution mechanism. Photo tagging is the most com- 
mon service relevant to collaborative access control. The authors of [16117] have 
investigated users' privacy concerns about this service and proposed principles 
for designing a better collaborative access control schemes. Besides interaction, 
users' private information can also be leaked through third party applications. 
A privacy-by-proxy design for social network APIs was developed by Felt and 
Evans [15] . Singh et al. [TJ5] proposed a privacy-preserved application platform, 
i.e., xBook, which integrates information flow model to control what applications 
can do with users' information. An access control scheme for third party appli- 



cations was developed [20], in which applications are required to adapt users' 
specifications on their own data. 



3 Motivation 

An online social network provides users with some typical services, such as users 
can build their profiles and establish social relationships with each other. More- 
over, a social network also provides a platform for users to socialize and interact 
with each other both in the digital and real world. In the following, we first 
give a brief overview to the developments of Facebook, the most popular online 
social network service in the world. After that, we discuss public information in 
Facebook and its potential usage in access control. 



3.1 Facebook 

In Facebook, each user is affiliated with a personal profile that contains his basic 
information (e.g., age and gender), work and education background, living places 
and so on. His hobbies are articulated in 'Likes'; places he has been to are marked 
in 'Map'. A user can establish friend relations with others, he can also organize 
his friends into different groups, or named friend list. 

Facebook is not only a website storing users' personal information and social 
relations, but also a platform for users to interact with each other. A user can 
directly communicate with his friends by messaging or poking; he can tag his 
friends in photos and posts. Two friends can interact through Facebook applica- 
tions such as games. All activities performed by a user are organized chronolog- 
ically in his 'Timeline' through which other users as well as the user himself can 
check his past activities conveniently. A user receives his friends' news on 'News- 
feed'. When he finds something interesting, he can further perform actions, such 
as 'like', share and comment, on it. Most recently, in January 2013 Facebook 
publishes a new product called Graph Search, a search engine based on users' 
data. It allows users to explore more information about daily life, find people 
who share common interests or live in the same city, discover new restaurants 
and music, and so onj^JFor example, if a user types in "photos by my friends", 
he will get a page containing all photos uploaded by his friends. Through Graph 
Search, a user can directly acquire information from his friends' data without 
visiting their personal pages individually. For a same query, different users will 
get different results. 

A Facebook user regulates other users' access to his resources through an au- 
dience selector. There are five modes supported in this selector, i.e., 'public', 
'friends', 'friends except acquaintances', 'only me' and 'custom'. In the custom 
mode, a user can choose the eligible requester to be a single user or a group 
(through friend list). 



https : //www . facebook . com/about/graphsearch 



3.2 Public Information 

Besides users' information, Facebook introduces public information in its sys- 
tem. A lot of entities in the real world are modeled as public information, e.g., 
countries, history events or public figures. They are mainly used as common 
reference points of users' information, through which a user can find other users 
in Facebook with similar background, hobbies, experiences, etc. For example, 
a user can find his schoolmates through the public information of the college 
that he has attended. 

Each public information is affiliated with a content that is normally extracted 
from external sources, such as Wikipedia and Bing map. Links among pub- 
lic information are based on their contents. For example, if two universities' 
Wikipedia articles are connected, then their public information in Facebook are 
also connected. There exist many different connections between users and public 
information as well. Some of these connections are based on user profiles, e.g., if 
a user specifies his employer in his profile, then he is linked with this employer's 
public information. Others are computed by Facebook through mining users' 
data. For example, if a user posts a status labeled with a location information, 
then the user is connected with the location's public information. 

When a user searches a public information in Facebook, he will be directed 
to a public information page which consists of the content of the public infor- 
mation, its related public information as well as his friends' relevant activities. 
For example, a public information page about Paris that a user gets in Face- 
book contains Paris's Wikipedia article, 'Friends who have visited Paris' ('Were 
here', 'Have worked here', 'Have lived here', etc), Photos of my friends in Pairs', 
'Places in Paris' (e.g., Opera Gamier, Eiffel Tower, Notre Dame), 'Related Pages' 
(e.g., Pont Neuf), (friend) recommendations and so on. We notice that a public 
information page is different from a usual Facebook page. On one hand, an or- 
ganization's Facebook page is established and maintained by a user (or several 
users) representing this organization in Facebook and essentially it is the same 
as a personal page. On the other hand, a public information page is generated 
by Facebook automatically, and users will get different views for the same pub- 
lic information - the different parts are related to the users' friends' activities, 
the content and the related public information remain the same. 



3.3 Public Information based Access Control 

In addition to facilitate users' interaction, it is possible to use public informa- 
tion in expressing access control requirements. For example, in the first scenario 
discussed in Sect. [TJ besides being friends with Alice, the requester has to be 
related to Victor Hugo; in the second one, the qualified requester needs to be 
linked with Bob only through a city that they have both been to; in the third 
one, the requester is asked to be connected with Charlie through not only a 
friend relation but also their employers' connection. Here, Victor Hugo, the city 
and the companies can all be public information. 



All the above access control requirements are meaningful and in line with the 
development of social networks. However, the current access control in Facebook 
as well as schemes proposed in the research literature mainly focus on relation- 
ships among users, public information are not taken into account. Therefore, in 
this paper, we propose a new access control scheme, in which policies can be 
expressed based on both users and public information, and their relationships. 

4 A Model of Online Social Networks 

Our social network model contains information of (1) users and their social 
relationships, (2) public information and their connections, and (3) links between 
users and public information. Public information and users are essentially two 
different concepts - public information are imported from external databases, 
and they cannot perform actions and establish relationships with each other as 
users; relationships among public information are also extracted from external 
sources. Therefore, we treat public information and users separately. We model 
social networks as a tuple {UQ, VQ, p,g). A user graph is denoted by UQ, and it 
depicts users and their relationships. The public information graph is denoted 
by VQ, which represents all public information and connections among them. 
Two maps, i.e., p and g, store links between users and public information. 

4.1 User Graph 

The set U contains all users in a social network. Each user is affiliated with some 
basic information which are treated as attributes of the user. We use U1Z = 
{a\, . . . , a m } to denote a (finite) set of relationship types supported in the social 
network. The semantics of each relationship type can be defined as on C U x U. If 
two users u a and Ub are in a relationship of type oii, then we write (u a , Ub) G on. 
For a relationship type at £ U1Z, there possibly exists its reverse relationship 
type, e.g., if on stands for husbandof, then its reverse is wifeof. We use a7 L x € U1Z 
to denote the reverse of on. If on = a^ , then on is a symmetric relationship, 
e.g., friend is a typical symmetric relationship. User graph UQ is a directed graph 
denoted by (U,U£), where every user in the social network is a node and the set 
of edges, i.e., US, is defined as {(u a , Ub, on) \ u a ,Ub £hi and (u a , Ub) € a{\. 

4.2 Public Information Graph 

Similarly, we can define public information graph. We use the set V to de- 
note all public information that are extracted from external databases, such as 
Wikipcdia and some geography databases. Each public information f c has its 
own attributes. We use VIZ = {fi\, . . . ,f3 e } to denote a (finite) set of relation- 
ship types on public information. Each relationship type /3j can be defined as 
/3j C V x V. If /3j's reverse relationship type exists, it is denoted by (3J 1 . Public 
information graph is formally denoted as VQ = (V,V£), where V is the set of 
nodes and V£ is defined as {(/ c , f d , fy) | f c , f d e V and (f c , f d ) e /3j}. 



4.3 Links between UQ and VQ 

There are a lot of connections between users and public information. As the 
social network is modeled as UQ and VQ, we define two maps, i.e., p and g, 
between them to describe their connections: 

p:U^2 v and g:V^2 u . 

For a user u a S U, p(u a ) is a subset of the nodes in VQ that are related to u a - 
The map p{u a ) may contain a lot of different types of public information, such as 
museums, universities, pop stars, etc, which are computed by the social network 
with the information that u a provides. For a public information f c G V , g(f c ) 
gives all the users in UQ who have been involved in activities or have information 
related to f c . How to compute p and g is not the focus of this paper, we assume 
that p and g always give us the right results. 

4.4 A Model Sample 

A sample social network model is shown in Fig. [I] whose left side is a UQ 
and right side is a VQ. Edges in the graph with double arrows implies that 
the relationships are symmetric. For example, Alice and Bob are friends; and 
Company A and Company B are rivals. The dash lines between users and public 
information reflect the links between UQ and VQ, which are formally captured by 
the two maps p and g. (The part contained in the dashed box in the right-bottom 
corner will be discussed in Sect. [7]) 

5 Hybrid Logic 

In [TO], a hybrid logic is used to define access control policies for social networks. 
We adopt their logic and introduce a new type of formulas tp. With such formulas, 
we can define policies based on information in VQ. Moreover, two new logic 
operators are introduced to connect formulas based on the information in UQ 
and VQ, respectively. In this way, we can combine resources from both UQ and 
VQ to specify new and expressive access control policies. 



5.1 Syntax 

The syntax of our hybrid logic is given as follows. 



v> 



m | x 
n | y 

s | p | ^(j> | 0i A <j>2 I («i)0 I O s </> I V x c/) | >V 
t | q j ^ J Vi A ip 2 J Wj)tp | •tip | T y V I ►</> 



In our logic, there are mainly two types of formulas. The user formulas <f> manip- 
ulate information on the user graph UQ , while the public information formulas 




Fig. 1. A sample social network model. 



ip are defined on VQ '. Three kinds of atoms are supported in our logic, i.e., nomi- 
nate (m and n), variables (x and y) and proposition symbols (p and q). Nominal 
m represents the name of a user in UQ, while n represents the name of a public 
information in VQ. Propositional symbol p is used for specifying the attributes 
of u a € U and similarly q is used for f c G V '. For example, p can be IsMale and 
q can be IsPublicFigure. Atoms m, x and p are used in user formulas <fi, while n, 
y and q are used in public information formulas ip. Negation -i and conjunction 
A can be used to define disjunction V. Therefore, we also use V in both <j> and 
ip. (oti) and ((3j) are two modal logic operators. As described in Sect. El symbols 
on and (ij represent the relationship types in UQ and VQ, respectively. Hybrid 
logic operator O can be used either with a nominal or variable, while V can only 
operate on variables. The same holds for • and T. Two new logic operators, i.e., 
> and ►, are used to connect the two types of formulas cf) and ijj together. 

5.2 Semantics 



Our model for evaluating access control policy formulas contains six parts, i.e., 
r, A, p, g, cur_n, r, where r — (UQ, Vjj) and A — [VQ, Vp). Vy is a map between 
atoms (either m or p) and users in UQ, i.e., Vu{m) is a set that contains only one 
user in UQ whose name is m and Vu(p) is a set of users that have the attribute 
as specified by p. Similarly we can define Vp(n) and Vp(q). As introduced in 
Sect. |1J p and g maintained by the social network connect users and public 



information. Node curjn refers to cither a user u a in UQ or a public information 
f c in VQ. Valuation r stores all the maps from variables in the policy formula 
to vertices in either UQ or VQ. When there is a map from x to u a (y to / c ), we 
write t[x <-^ u a ) {r[y i-» f c ]). 

We use satisfaction relation r, A, p, g,u a ,r \= <j> to describe the meaning of 
user formula <f>. 

iff u a = t(x) 

iff Vu(m) = {«„} 

iff w a G Vj7(p) 

iff r, Z\,p, g, u a ,T ¥ (f) 

iff r,A,p,g,u a ,r t= 0i and V,A,p,g,u a ,r \= <p 2 

iff 3«b G W such that (u a , Mb) G a; 

and i -1 , A,p,g,Ub,T\=(f) 

iff I 1 , Z\, p, g, UbjT \= <ft where Vy (m) = {uf,} 

iff r,Zi,/),^,T(x),TN 

iff r, A, p, q, u a , t[x i-» u a ] N 

iff 3/ c G p(w a ) such that J 1 , Z\, p, £, / c , r N ^ 

The first three relations express the meaning of atoms. When is a single variable 
x, it holds if and only if when a map from x to u a is contained in r. If <f> is a single 
nominal or propositional symbol, it is true if and only if when u a is in the set 
defined by Vjj- When several modal logic operators ((afj)) are aligned sequentially 
in a formula, they can represent a relationship path, e.g., user can define a policy 
to regulate that only friends of friends can access his resource. 

The hybrid logic operator O s jumps to the node that s refers to in UQ, 
and V x 4> adds a map from x to u a into r. The new operator, i.e., >ip, links a 
user formula <p with a public information formula ip - it maps the current node 
u a in UQ to a set of public information in VQ that are related to this user. If 
there is one public information in p(u a ) satisfying ip, then the formula \>ip holds. 
Combing formula \>ip with propositions, we can link a user to a more specific 
set of public information. We write \> q ip for \>(q A ip) and its meaning can be 
reinterpreted as: 

r, A, p,g,u a ,r\= \> q ip iff 3f c G p(u a ) n V P (q) such that f, A, p, g, f c ,r\=ip 

In the following, we give the meaning of public information formulas ip. 



\A 


P 


Q, 


U a 


T \= X 


\A 


P 


Q, 


U a 


t \= m 


\A 


P 


9, 


U a 


T \= p 


\A 


P, 


Q, 


U a 


T \= ->(f) 


\A 


P 


Q, 


U a 


T \= 4>l A 02 


\A 


P, 


Q, 


U a 


T \= {Cti)(p 


\A 


P 


Q, 


u a 


t N O m 


\A 


P 


Q, 


U a 


tNOx</) 


\A 


P 


Q, 


u a 


t\= V x 


\A 


P 


Q, 


u a 


T \= \>1p 



r,A,p,g,f c ,r\= y 
r,A,p,g,f c ,r\= n 
r,A,p,g,f c ,r\= q 

r,A,p,g,f c ,T\= ^tp 

r,A,p,Q,f c ,T\= Ipl A -02 

r,A,p,g,f c ,r\= (Pj)ip 

r,A,p,g,f c ,r\= n ip 
r,A,p,g,f c ,r\= * y ijj 
r,A,p,g,f c ,r\= J yip 
r,A,p,g,f c ,r\= ►<£ 



iff f c = r(y) 

iff V P (n) = {f c } 

iff f c G Vp(q) 

iff r,A,p,g,f c ,T^ ip 

iff r, A, p, g, f c , r\=ipi and T, A, p, g, f c , t \= ip 2 

iff Bf d eV such that (UfJePj 

and r,A,p,g,f d ,T N ip 
iff r, A, p, g, f d , r^ip where V P (n) = {f d } 
iff r,A,p,g,r(y),T\= ip 
iff r, A, p, g, f c , r[y i-> f c ] 1= ip 
iff 3u a G g{f c ) such that r, A, p, g, u a , t\= <f> 



It is easy to find that the semantics of public information formulas resembles 
the user formulas. Therefore, information in VQ can be used in access control 
policies in a same way as in UQ. When the evaluation process encounters the 
operator ► </>, the public information node f c is mapped to users that are related 
to it inUQ. If 4> holds at one of these users, then the formula ►^ is true. Similarly, 
we define >- p <j> as ►(pA 4>) and reformulate its semantics. 

5.3 Expressing Access Control Policies 

There are always four elements in an access scenario, i.e., a requester, a target, 
an action and access control policies. More precisely, the requester tries to per- 
form an action against the target, whether he succeeds or not depends on the 
access control policies defined over the target. We use variable req to represent 
the requester. With multiple services supported by the social network, a target 
can be a user or a resource. For simplicity, we assume that the target can only 
be a resource owned by some user. Normally, a user can define an access control 
policy for the resources that he owns. But in some cases, the access of a resource 
is decided by several users. This is the subject of collaborative access control 
management, e.g., see |12I13I14I15| . which is not the focus of this paper. We 
assume that a resource is attached with only one access control policy that is 
defined by its owner represented by the variable own. The only action we con- 
sider is 'view', other actions, such as 'comment', 'tag' and 'share', are affiliated 
with it, i.e., when a user is able to view a resource published by another user, 
he can comment or share it as wellrjThus, we ignore actions in the access con- 
trol policy. In social networks, both the requester and the owner are users. We 
restrict that an access control formula has to start with either the requester or 
the owner, i.e., policy formulas are in the form either wn<^ or Oreq^- 

5.4 Model Checking 

Given a social network model (UQ,VQ , p, g) and an access control policy ex- 
pressed in our hybrid logic as a formula <f>, the satisfaction of T, A,p, g,u a ,T \= 4> 
with r[own H> u a , req i-> Ub], r = (UQ, Vjj) and A = (VQ, Vp) is formulated as 
a local model checking problem [21] by Bruns et al. [TO] . 

Except for the user graph UQ used in [21 , our social network model cap- 
tures public information and their relationships. Moreover, our logic essentially 
extends the one of |21j with public information formulas ip defined on VQ and 
two new operators > and ► connecting user formulas and public information 
formulas. In principle, we can reuse the model checking algorithm of Bruns et 
al. [10]. As formulas of the form t>ip' or ►0 / explore the links between UQ and 
VQ, we need to treat them differently. A formula >ip' maps the current node 
(cur_n) in UQ to a a set of public information in VQ. As long as there is one 
public information in p(cur_n) satisfying ijj, then cf> holds. The formula ►(/>' is 
defined similarly. To check them, we can develop a sub-routine similar to MCmay 



This is supported by Facebook. 



of Bruns et al. [10] , which first computes the set of all public information (users) 
related to a specific user (public information) and then iterate through the set 
until one of them makes the connected formula i/j' (cf>') hold on VQ iUQ)- For 
formulas \>(q Atp r ) and ►(p A <ft') as discussed in Sect. [5] we can further reduce 
the size of the computed set by using positions p and q to improve the efficiency 
in model checking. 

6 Example Policies 

In order to show the expressiveness of our new scheme based on the social net- 
work model, we design several real-life scenarios and give their corresponding 
formulas in our logic. We use the social network model depicted in Fig. [T] Val- 
uation g contains two maps own i— > u and req i— > u r , where u ,u r £ U are 
the owner and the requester, respectively. 

Scenario 1. Eve owns a photo and only wants her friends or friends of friends 
to view it. The policy can be defined as follows: 

Oown{{friend)req V (friend) (friend) req) . 

The hybrid logic operator Oown drives the formula to start at Eve who is the 
owner of the resource. The requirement "friends of friends" is achieved by align- 
ing (friend) twice which forms a relationship path of length two. In Fig. [Tl Alice, 
Frank and Gabriele can view the photo because they are friends of Eve, Bob and 
Danny are also eligible as they are Eve's friends of friends. 

In order to restrict the access to the photo, except for her friends, Eve regu- 
lates that the qualified requester should have at least three common friends with 
her. The policy is written as 

own ((friend)req V (friend) 3 (friend) req). 

This is the 'n-common friends' policy defined in 7 J, (friend)^ expresses 'at least 
three different friends' in the formula. In |10j . the authors show how to implement 
this policy with the logic operators V x and O s - As Bob has three common friends 
with Eve, he can still view the photo. On the hand, Danny is not eligible anymore 
as he only has one common friend with Eve. 

Scenario 2. Let us recall the first access control scenario discussed in Sect. [Tl 
which exploits the information in VQ. Alice shares an article about Victor Hugo 
and she only wants her friends who have read any literary works of Hugo to view 
it. The policy is formulated as 

Oown (friend) (req A [>( written?;?/) VictorHugo). 

The operator E> links UQ with VQ. VictorHugo is a nominal in the formula, and 
the set Vp (VictorHugo) only contains the node in VQ which is Victor Hugo's 
public information. To make the map more precisely, we can use t>i S Book to 
replace > in the formula. As shown in Fig. [TJ only Eve is able to view this 
article. 



71 is-in ~ " I is-in" (~ 
1 — >J City A — >J I 



| Place 2 — — ■] City A [ • [ Place 5 [ -(jequesteT) ^Bob)-— ] Place 2 — — » | City B — — - \ Place 5 [ ---(requester 

ic_in ^^' ^^-^ ic_in ^^^^^^"~.. ,*^^^^™^^^^ 

ace 6 Place 3 — — »| City C — — J Place 6 



Fig. 2. Connections between Bob and qualified requesters. 



Scenario 3. In the second example in Sect.[T] Bob has an album containing his 
traveling photos. He believes that a user who used to be in a same city as he 
did is an ideal candidate to view this album. We assume that a user can only 
be linked to a place's public information, but not a city's. For example, a user's 
photo can be labeled with any park or square of a city, but not the city itself. 
The policy can be written as 



Oown > (is-in) (is-in 



req. 



This formula contains the operators > and ►, and it has the following form: 
<f>it>ip>- (f>2- Operator > maps Bob to all public information related to him, again, 
we can use t> isLocation to replace it. The sub-formula (is-in) (is- in~ ) traverses 
all places in a city that is visited by Bob. In our sample model in Fig. [l] only 
Alice can view the album as both Bob and she used to visit the same city Paris. 

Next, Bob wants to be more strict with the access to his album. He regulates 
that the qualified requester's travel records should be similar to his. There are 
several ways to translate the similar travel records into a concrete policy, and 
we discuss two of them. 

The first one, the requester must have been to at least three places in one 
city and Bob himself also visited three places in the same city. This requirement 
is proposed to guarantee that the purposes of both the requester and Bob being 
in this city are for travel not other activities such as short business trip or plane 
transfer. The corresponding policy formula is presented in the following 



Oown > T Vl {lS-HI > 



> T 

Oown > ▼ 



3/7 * 



' 2/4 



(req A 



tj/1 A (is-in) (yj A (is-in 



Tij4 A ►(req A 



2/3 (~1/l A ""3/2 A (is-in) (y 7 A (is-in ) l yB (~^y A A ^y 5 A I 



•req)))))))). 



The left part of Fig. [2] depicts an example of the minimal number (three) of 
relationship paths in VQ needed between a qualified requester and Bob. Three 
variables, i.e., y\, y 2 and 2/3, mark three different places that Bob used to be; 
so do 2/4, 2/5 and 2/6 for the requester. We notice that the places that Bob has 
been to need not to be distinguished from the ones visited by the requester. 
Variable 2/7 guarantees that all these places are in the same city. Therefore, the 
three relationship paths have one node in common, i.e., 'City A'. 

The second way to describe similar travel records is that the qualified re- 
quester has been to at least three different cities all of which Bob has visited 



before. The corresponding policy is given below 

Oown > (is-in)l Vl (is-in~ l ) ► (req A 

Oown > {is-in)l y,{-iy\ A (is-in^ 1 ) ► (req A 

Oown > (is-m)T 'y 3 (->yi A ^2/2 A (is-in^ 1 ) ► req)))). 

The connections between the requester and the owner are shown in the right part 
of Fig. [2] As places that Bob has visited are in different cities, we don't need to 
use variables to mark and distinguish them, the same holds for the requester. 
Cities are marked by the variables y\ , 2/2 and j/3 . The conjunction of their negative 
forms in the formula guarantees that the cities are different. We can even combine 
the relationship paths depicted in Fig. [2] to achieve a more strict requirement, 
i.e., the requester has to have visited at least three cities as Bob has, and both 
Bob and the requester have been to at least three different places in each of the 
cities. Since the public information and their relationships are extracted from 
external sources, complicated relationship paths as shown in this example give 
rise to more meaningful and expressive access control policies. 

Scenario 4- I n the third example in Sect IT] Charlie only allows his friends who 
work in the rival company of his own company to view his status. The policy is 
formally dchncd as below: 

wn((> (rival) ► req) A (friend) req) . 

Different from policies in previous scenarios, this one requires that the owner and 
the requester are linked through information in both UQ and VQ. More precisely, 
the sub- formula \> (rival)*- regulates that the qualified requester need to work 
for Company B's rival, i.e., Company A; and the sub-formula (friend) filters 
out the requester who is not a friend of Charlie. We use a conjunction symbol 
to combine these two parts. In Fig. [IJ only Bob is qualified as he is a friend 
of Charlie and he works for Company A. As shown in the previous scenarios, 
policies can be defined in either UQ or VQ. By combining them together, more 
strict access control requirements can be achieved, as shown in this scenario. 



7 Using Category Relation in Access Control 

7.1 The Category Relation in VQ 

Let us first consider another scenario. In the model depicted in Fig. [TJ Charlie is 
linked with several kinds of sports including Basketball and Tennis. Bob is also 
a sport fan and his favorite one is Tennis, while Danny likes Volleyball. Charlie 
has a photo depicting him playing tennis. He only wants his friends who are 
linked with Tennis to view it. The policy can be defined as 

Oown (friend) (req A ([> Tennis)). 



As Bob likes Tennis, he can view the photo. Now, Charlie decides to relax the 
restriction such that the qualified requester should be his friend who likes any 
kinds of sports. He modifies his policy as follows: 

Oown (friend) (req A >(( is- a) Sports)). 

Relationship path (is- a) in the formula marks all the public information that are 
in an is-a relation with Sports in VQ, e.g., Tennis. However, this policy cannot 
achieve Charlie's goal. For example, Danny is not able to view this photo even 
he is supposed to be. This is because Volleyball is not linked with Sports but 
with Team Sports with the is-a relationship as shown in Fig. |Tj In order to grant 
access to Danny, Charlie again modifies the policy as follows: 

Oown (friend) (req A D> ((is- a) S ports V (is-a) (is- a) Sports)). 

There exist many public information related to Sports in the social network, 
and the is-a relationship paths between them and Sports in VQ can be of different 
lengths, e.g., Team Sports is directly connected with Sports, Basketball is two 
steps away from Sports, and the distance between Streetball and Sports is three 
(as shown in Fig. nl . Defining a policy by enumerating all possible lengths is not 
an acceptable solution. 

The is-a relations among public information in VQ are based on links of 
these public information's corresponding Wikipedia articles. In Wikipedia, arti- 
cles are organized by means of categories, and all categories are connected with 
each other resulting into an acyclic directed graph, called category graph. Each 
article is associated with at least one category. Some articles can be main articles 
of the related categories, e.g., Sports is the main article of 'Category:Sports'. Ar- 
ticles under a certain category are linked with the main article of this category. 
Therefore, their corresponding public information are linked together, we name 
this kind of links category relation, i.e., the is-a relationship. As category graph 
is acyclic, public information linked with is-a relationships also form an acyclic 
graph, e.g., see the dashed box in Fig. [I] 



7.2 Logic with the Category Relation 

To make use of the category relations among public information in our policies, 
we introduce a function on VQ and a new symbol in our logic. The function cf 
is formally defined as 

uu \\ — \ {•k} $f d such that (-^'^ c ) e is ~ a 

cJWJcn | Uc/ ({ /d} ) V / d such that (f d J c ) G is-a 

The result of c/({/ c }) contains f c and all its descendants in an acyclic graph 
based on is-a relationships in VQ. 

In our hybrid logic, nominal n can represent name of any public information 
in VQ. In order to refer to the node named n as well as all its descendants 



in the formula, we add a category nominal [n\ into our logic. The syntax of 
formulas ip is extended as follows: 

ij> ::= t | [n\ | q | -^> | Vi A ^2 | (j)^> | •tV I ▼ J /^ I ► 0- 

The semantics of [n\ is 

r, A p, g, f c , t N [nj iff / c G c/(V P (n)) U V P (n). 

With the category nominal, Charlie can easily redefine his policy in the pre- 
vious example as 

Oown (friend) (req A > [SportsJ ). 

Now, all friends of Charlie who are related to any kind of sport activities, such 
as Bob and Danny, are able to access the photo. 

Similar to the ones with their contents from Wikipedia, public information 
from geography databases, i.e., places, together with is-in relationships among 
them also naturally compose an acyclic graph. Therefore, we are able to define 
policies to qualify the requester, such as "only my friends who have ever been to 
Europe", in a concise way without listing different length of is-in relationship 
paths in VQ. Other types of hierarchical relationships on public information can 
also be investigated for the same purpose. 

8 Comparison 

In this section, we compare our new scheme with relationship-based access con- 
trol schemes in the literature [1013112) . 

The model of social networks in [TU] is the same as our user graph UQ, con- 
taining users and their relationships and public information are not treated as 
entities in the model. As a consequence, access control policies only make use 
of users' social representations. On the other hand, it seems possible to express 
connections between users and public information through propositions in |10j . 
For example, a proposition Is VictorHugoFan can be used to express the connec- 
tion between a user and Victor Hugo in a policy formula. In this case, each user 
will be affiliated with a large amount of attributes. Apparently, this solution is 
neither ideal or practical. Moreover, access control policies that explore relation- 
ships between public information, such as the examples in scenario 3 and 4 of 
Sect. |6j cannot be captured by propositions. 

The work proposed in [3] does not explicitly take into account public infor- 
mation and their relationships. However, this work has two interesting features. 
First, in the social network model, users' resources are treated as independent 
entities. Relationships between users and resources are not restricted only to 
ownership, e.g., the relationship between a user and a photo that he is tagged 
in is modeled as 'photoOf in their language. Thus, collaborative access con- 
trol is possible in their model. Second, due to the fact that social networks are 
modeled with semantic web technologies, hierarchy information among users' re- 
lationships are naturally supported as well as actions and resources, which make 



policy propagation possible. For example, if a user defines a policy to regulate 
the qualified requester to be his friends, then users who are in a closer relation- 
ship, such as 'good friend', with him are automatically qualified. In our work, 
we have used the semantic relations among the public information in Sect. [7] to 
facilitate users to express their policies concisely. 

Similarly, the scheme in [12[ does not take into account public information 
neither. In this model, attributes of users are not represented. Moreover, their 
policy language seems weaker than ours - negation symbol only works with 
relationship paths, but not on nodes. Hence, policies such as "all my friends but 
Alice can view my photo" cannot be expressed. On the other hand, this work has 
some features that our model cannot support. First, the social network model 
treats resources as nodes which is similar to the one in [3], and actions that 
users performed on their resources are recognized as relationships. For example, 
a user can regulate that only users who used to comment on a same photo as he 
did is able to poke him. Second, the authors propose a simple solution through 
administrative policies for collaborative access control. To achieve this in our 
model, we need to add a decision module in the model checking algorithm. 

The two schemes [3I12| can potentially treat public information as users' 
resources, i.e., modeled as nodes in their social network model. However, as we 
explained in Sect. HI public information are extracted from external databases, 
and relationships among them are different from the ones between users. In our 
work, we apply the separation of concerns principle to model public information 
and their relationships separately from users and their social links. 



9 Conclusion and Future Work 

In this paper, we first identified a new type of access control policies that are 
meaningful but have never been addressed in the literature. Namely, users in 
social networks can express access control requirements not only based on their 
social relations, but also on their connections through public information. Then 
we defined a social network model containing users and public information. Based 
on this model, we proposed a hybrid logic to define access control policies. We 
gave a number of policies based on public information and formulated them 
precisely in our proposed logic. In addition, we have used category relations 
among public information to extend our logic and make it more practical. 

In the future, we plan to extend our work in several directions. First, we 
want to improve the expressiveness of our social network model by integrating 
user resources as [3I12J . As resources are different from users, modeling resources 
explicitly may address more expressive access control policies. The connections 
between resources and public information will be interesting to study as well. 
Second, policy propagations can be supported in our model by defining hierar- 
chies among users' relationships. In this case, we would also need to adapt our 
model checking algorithm. Third, it is very interesting for us to develop privacy- 
preserving protocols for access control enforcement in our scheme, in line with 
those developed in |4|5|6) . 



References 

1. Gates, C.E.: Access control requirements for Web 2.0 security and privacy. In: 
Proc. IEEE Workshop on Web2.0 Security and Privacy (W2SP). (2007) 

2. Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social 
networks. ACM Transactions on Information & System Security 13(1) (2009) 
Article No. 6 

3. Carminati, B., Ferrari, E., Heatherly, R., Kantarcioglu, M., Thuraisingham, B.: A 
semantic web based framework for social network access control. In: Proc. 14th 
ACM Symposium on Access Control Models and Technologies (S ACM AT), ACM 
(2009) 177-186 

4. Carminati, B., Ferrari, E.: Privacy-aware collaborative access control in web-based 
social networks. In: Proc. 22nd IFIP WG 11.3 Working Conference on Data and 
Applications Security (DBSEC). Volume 5094 of LNCS., Springer (2008) 81-96 

5. Carminati, B., Ferrari, E.: Enforcing relationships privacy through collaborative 
access control in web-based social networks. In: Proc. 5th International Conference 
on Collaborative Computing (CollaborateCom), IEEE CS (2009) 1-8 

6. Xue, M., Carminati, B., Ferrari, E.: P3D - privacy-preserving path discovery in 
decentralized online social networks. In: Proc. 35th IEEE International Computer 
Software and Applications Conference (COMPSAC), IEEE CS (2011) 48-57 

7. Fong, P.W.L., Anwar, M.M., Zhao, Z.: A privacy preservation model for Facebook- 
style social network systems. In: Proc. 14th European Symposium on Research In 
Computer Security (ESORICS). LNCS, Springer (2009) 303-320 

8. Fong, P.W.L.: Relationship-based access control: protection model and policy lan- 
guage. In: Proc. 1st ACM Conference on Data and Application Security and 
Privacy (CODASPY), ACM (2011) 191-202 

9. Fong, P.W.L., Siahaan, I.: Relationship-based access control policies and their 
policy languages. In: Proc. 16th ACM Symposium on Access Control Models and 
Technologies (SACMAT), ACM (2011) 51-60 

10. Bruns, C, Fong, P.W.L., Siahaan, I., Huth, M.: Relationship-based access control: 
its expression and enforcement through hybrid logic. In: Proc. 2nd ACM Confer- 
ence on Data and Application Security and Privacy (CODASPY), ACM (2012) 
117-124 

11. Anwar, M.M., Fong, P.W.L.: A visualization tool for evaluating access control 
policies in Facebook-style social network systems. In: Proc. 27th ACM Symposium 
on Applied Computing (SAC), ACM (2012) 1443-1450 

12. Cheng, Y., Park, J., Sandhu, R.S.: Relationship-based access control for online 
social networks: beyond user-to-user relationships. In: Proc. 4th IEEE International 
Conference on Information Privacy, Security, Risk and Trust (PASSAT), IEEE CS 
(2012) 646-655 

13. Squicciarini, A.C., Shehab, M., Paci, F.: Collective privacy management in social 
networks. In: Proc. 18th International Conference on World Wide Web (WWW), 
ACM (2009) 521-530 

14. Sun, Y., Zhang, C, Pang, J., Alcalde, B., Mauw, S.: A trust-augmented voting 
scheme for collaborative privacy management. Journal of Computer Security 20(4) 
(2012) 437-459 

15. Hu, H., Ahn, G.J., Jorgensen, J.: Multiparty access control for online social net- 
works: Model and mechanisms. IEEE Transactions on Knowledge and Data Engi- 
neering (2013) To appear. 



16. Besmer, A., Lipford, H.: Moving beyond untagging: photo privacy in a tagged 
world. In: Proc. 28th ACM Conference on Human Factors in Computing Systems, 
ACM (2010) 1563-1572 

17. Klemperer, P., Liang, Y., Mazurek, M., Sleeper, M., Ur, B., Bauer, L., Cranor, L., 
Gupta, N., M.Reiter: Moving beyond untagging: photo privacy in a tagged world. 
In: Proc. 30th ACM Conference on Human Factors in Computing Systems, ACM 
(2012) 377-386 

18. Felt, A., Evans, D.: Privacy protection for social networking platforms. In: Work- 
shop on Web 2.0 Security and Privacy. (2008) 

19. Singh, K., Bhola, S., Lee, W.: xBook: Redesigning privacy control in social network- 
ing platforms. In: Proc. 18th USENIX Security Symposium, USENIX Association 
(2009) 249-266 

20. Shehab, M., Squicciarini, A., Aim, G.J., Kokkinou, I.: Access control for online 
social networks third party applications. Computers & Security 31(8) (2012) 897- 
911 

21. Stirling, C, Walker, D.: Local model checking in the modal mu-calculus. Theoret- 
ical Computer Science 89(1) (1991) 161-177 



